From 40947fb5575fa3a6053302263a52bbaa54ecff97 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@helsinki.at>
Date: Thu, 17 Dec 2015 16:34:46 +0100
Subject: added check for authorization to musicgrid.cgi


diff --git a/rh-bin/musicgrid.cgi b/rh-bin/musicgrid.cgi
index aa823aa..b1bfa1f 100755
--- a/rh-bin/musicgrid.cgi
+++ b/rh-bin/musicgrid.cgi
@@ -34,7 +34,7 @@ my $responsecode = 500;
 my @clocks = ();
 
 my $q = CGI->new;
-my $username = ""; #$q->param('LOGIN_NAME');
+my $username = "equinox"; #$q->param('LOGIN_NAME');
 my $token = ""; #$q->param('PASSWORD');
 my $cmd = "get"; #$q->param('COMMAND');
 
@@ -81,9 +81,9 @@ if(!defined $username) {
 } else {
   (my $ctx, $status, $errorstring) = RHRD::rddb::init();
   if(defined $ctx) {
-    my $result = 1; #  (my $result, $status, $errorstring) = RHRD::rddb::check_token($ctx, $username, $token);
-    if($result == 1) {
-      # TODO: check if user is allowed to read/edit music pools
+    my $authenticated = 1; #  (my $authenticated, $status, $errorstring) = RHRD::rddb::check_token($ctx, $username, $token);
+    my $authorized = RHRD::rddb::is_musicpools_user($ctx, $username);
+    if($authenticated == 1 && $authorized == 1) {
       if($cmd eq "get") {
         ($responsecode, $errorstring) = get_clocks($ctx);
       }
@@ -94,8 +94,11 @@ if(!defined $username) {
         $responsecode = 400;
         $errorstring = "command '$cmd' is unknown";
       }
-    } elsif($result == 0) {
+    } elsif($authenticated == 0) {
       $responsecode = 401;
+    } elsif($authorized == 0) {
+      $responsecode = 403;
+      $errorstring = "user '" . $username . "' is not allowed to access the music grid";
     } else {
       $responsecode = 500;
     }
-- 
cgit v0.10.2